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Quantum key distribution performs the trick of growing a secret key in two distant places con- 
nected by a quantum channel. The main reason is that the legitimate users can bound the infor- 
mation gathered by the eavesdropper. In practical systems, whether because of finite resources or 
external conditions, the quantum channel is subject to fluctuations. A rate adaptive information 
reconciliation protocol, that adapts to the changes in the communication channel, is then required 
to minimize the leakage of information in the classical postprocessing. 

We consider here the leakage of a rate-adaptive information reconciliation protocol. The length of 
the exchanged messages is larger than that of an optimal protocol; however, we prove that the min- 
entropy reduction is limited. The simulation results, both on the asymptotic and in the finite-length 
regime, show that this protocol allows to increase the amount of distillable secret key. 
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I. INTRODUCTION 

Claude E. Shannon published his seminal "A mathe- 
matical theory of communications" [1] in 1948 after eight 
years of intermittent work [2]. The paper meant the 
birth of communications and coding theory. Shannon 
did not only establish the frame under which communi- 
cations systems could be studied and compared, he also 
proved their fundamental limits, i.e. the limiting rates 
for data compression and reliable transmission through 
noisy channels. This second result was specially surpris- 
ing since there was no certainty that reliable transmission 
with a positive rate was even possible [3] . 

A year later, in 1949, Shannon's "Communication the- 
ory of secrecy systems" [4] came to light. In words of 
Robert Gallager "Shannon's cryptography work can be 
viewed as changing cryptography from an art to a sci- 
ence" [2]. Shannon successfully applied the tools devel- 
oped in [1] to the problem of transmitting confidential 
messages through public channels. His main conclusion 
is that a message from a set of messages sent through a 
public channel can be obfuscated into a cypher-text with 
the help of a secret key in such a way that the number 
of possible originating messages is the whole set of mes- 
sages, that is, the cypher-text leaks no information to a 
possible eavesdropper. The condition for this to happen 
is that the number of secret keys is equal or greater than 
the number of messages. This condition only applies to 
eavesdroppers with unbounded resources, if we limit the 
storage or computing capability of the eavesdropper se- 
cret communications are possible without fulfilling the 
condition. It is evident that computing power resources 
that today might be considered as out of reach might be- 
come available in the near future. There is an implicit 
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risk in assuming that an eavesdropper is limited in any 
way beyond the fundamental limits that physics impose 
her, therefore the interest in establishing the scenarios in 
which some kind of security can be achieved without any 
assumption is self-evident. 

The distribution of secret keys or SKD is a prob- 
lem closely related to confidential communications. Two 
parties sharing a secret key can communicate privately 
through a channel in the conditions discussed in the pre- 
vious paragraph. We can then study the problem of se- 
cret key sharing as a way to achieve confidential com- 
munications. The main idea is that two distant parties 
can agree in a secret key if they have access to a shared 
source of randomness. The randomness source can take 
many incarnations, e.g. in the form of a source received 
from a trusted party or in the form of a noisy channel [5] . 

In most of the SKD scenarios the legitimate parties 
obtain instances of correlated sources which means that 
they obtain similar but not identical strings. It is then 
assumed that there is an authentic though otherwise pub- 
lic channel available to all parties — including the eaves- 
dropper. The legitimate parties can exchange additional 
information through this channel in order to reconcile 
their strings. They can do so by revealing some infor- 
mation about them, for instance the parities of carefully 
chosen positions. This process is known as information 
reconciliation [6]. It is not hard to see that the informa- 
tion exchanged through the public channel reduces the 
uncertainty that the eavesdropper has on the strings of 
the legitimate parties. Thus, a reduction in the leakage 
due to information reconciliation allows to increase the 
amount of distillable secret key. A second step known 
as privacy amplification is then needed [7]. In the pri- 
vacy amplification step the legitimate parties agree on a 
secret but shorter key of which the eavesdropper has a 
negligible amount of information. 

These mathematical models can have a real, i.e. phys- 
ical correspondence. One such a model is a physical 
fiber carrying single photons randomly polarized in one 



of two non-orthogonal basis [8] . Quantum key distribu- 
tion (QKD) is probably the main practical application of 
SKD. In a QKD protocol [8-10], two legitimate parties, 
Alice and Bob, aim at sharing an information theoretic 
secret key, even in the presence of an eavesdropper Eve. 
In the quantum part of such a protocol, Alice and Bob ex- 
change quantum signals, e.g. single photons, which carry 
classical information. For instance, Alice encodes a clas- 
sical bit onto the polarization or the phase of a photon 
and sends this photon to Bob who measures it. In any 
realistic implementation of a QKD protocol, the strings 
obtained after the exchange of the quantum signals suf- 
fer discrepancies mainly due to losses in the channel and 
noise in Bob's detectors but which are conservatively at- 
tributed to the action of an eavesdropper. Therefore, any 
QKD protocol must include the classical post-processing 
steps described above in order to extract a secret key 
from the correlated strings. 

The channel connecting Alice and Bob in a real sys- 
tem may substantially vary over time. The motivation of 
this work is to analyze the sp-protocol [11], an informa- 
tion reconciliation protocol that adapts to this channel 
variations. We had previously showed that in a classi- 
cal repetition scenario (i.e. with classical attackers and 
independent, identically distributed sources) its reconcil- 
iation efficiency is only limited by the quality of the er- 
ror correcting code used to implement the protocol [12]. 
We consider here the leakage of the sp-protocol with a 
quantum eavesdropper, both in the asymptotic and in 
the finite-length regime, and its impact on the amount of 
distillable secret key. 



II. PRELIMINARIES AND NOTATION 

Let A be a discrete random variable taking values in 
the finite alphabet X. The Shannon entropy [1], min- 
entropy and max-entropy [13] of X are respectively de- 
fined by: 



H{X) = - ^ px{x) logpx(a 



xex 



Hoo{X) = min (- \ogpx{x)) 



Ha{X) = log |a; e A- : px{x) > 0| 



(1) 



(2) 



(3) 



where ] • ] stands for the cardinality of a set. Logarithms 
in Eq. (1) to (3) and throughout the text are taken base 
two. It holds that H^{X) < H{X) < Ho{X), and the 
equality occurs when the outcomes in X are given by a 
uniform distribution. 

Now let X and Y be two jointly distributed discrete 
random variables taking values on alphabets X and y, 
respectively. The conditional entropy, min-entropy and 
max-entropy of X given Y is defined by: 



H{X\Y) = J2H{X\y) 
yey 



H^{X\Y)= min H^{X\y) 

yey 



Ho{X\Y) 



max_ffo(A|j/) 



(4) 

(5) 
(6) 



where the entropy of a random variable given an event is 
the entropy of the induced random variable. 

Let the state of a finite dimensional quantum system 
be represented by a trace one, positive semidefinite, op- 
erator on a (finite dimensional) Hilbert space H. We 
denote by V{H) the set of all states acting on H. 

Let us give some basic definitions about the quantum 
counterparts of these classical information measures. The 
equivalent of the entropy of a random variable is the von 
Neumann entropy of a state px [14]. It is defined as: 



H{X), 



-tT{px\0gpx) 



(7) 



where tr denotes the trace operation and we indicate with 
a subscript the state on which the entropy is computed. 
Henceforth it will be explicitly written whenever it helps 
clarifying a statement. 

Let pxY G V^Hx ®T-Ly) be a bipartite quantum state. 
The conditional quantum min-entropy of pxY given T-Ly 
is defined as: 

H^{X\Y) =sup(-logmin{AlAidx®cry > Rxy}) (8) 

where A > 0. 

If Hy is one dimensional: 

HUX\Y) - H^X) = -logA„ax(px) (9) 

where X^aa^ipx) outputs the maximum eigenvalue of px- 
We finally consider the smooth generalization of the 
conditional min-entropy introduced in [15]. Let {p^cr} G 
'P{'H), the trace distance between p and a is given by: 



\p-<t\\i =tr(|p-crl) 



(10) 



The smooth entropy was first defined as an optimiza- 
tion over all states e-close in terms of the trace distance. 
The smooth entropies have been redefined in terms of 
other measures such as the purified distance and verify 
additional properties [16, 17] but for the present study it 
suffices to consider the original definition. 

Let PXY e V{Hx ® Uy) and e > 0. The smooth 
version of Eq. (8) is given by: 



HI^{X\Y)p,,^snpHUX\Y) 



PXY 



(11) 



where the supreme is found over all pxY such that 

^Wpxy - PxyWi < £■ 



III. INFORMATION RECONCILIATION 

A. Impact of information reconciliation on the 
secret key length 

One common assumption in a SKD protocol is that all 
the parties have access to the outcomes of an independent 
identically distributed experiment repeated many times. 
If this assumption holds the parties can safely regard an 
average behavior as the law of large numbers guarantees 
that the joint outcome will be typical with high probabil- 
ity. However, assuming a repetition scenario might be un- 
realistic in some situations, in these cases key distillation 
can be considered for a finite number of outcomes of a 
joint experiment. This second, more restrictive, scenario 
is sometimes referred as finite-key distillation. Both the 
repetition [10] and the finite-key [18-20] scenarios have 
been addressed in QKD. 

The secrecy of a key K can be measured in terms of 
its closeness to a perfect one which is uniformly random 
and decoupled from the eavesdropper's system Z . A key 
K is considered e-secure if [21]: 



1 



WPKZ - TK ® Pz\\i < £ 



(12) 



The communications on the public channel might be 
one-way or two- ways. We have chosen to restrict the 
channel to one-way communications since our focus is on 
practical protocols with reduced distillation complexity, 
network requirements, etc. However, it should be noted 
that two-way communications can be used to distill a 
key in scenarios where one-way secret key distillation is 
not possible [5] and, in general, the amount of distillable 
secret key with two-way communications can be strictly 
higher than with one-way communications [22, 23]. 

In the repetition scenario and aided with one-way clas- 
sical communications, the maximum rate at which key 
can be extracted with e approaching zero as the number 
of repetitions goes to infinity is given by [24] : 



Let us assume that Alice and Bob exchange TV signals 
out of which they use m for estimating their correlations 
and t < N — m ior key distillation. If the correlations do 
not verify some conditions Alice and Bob abort the pro- 
tocol, £pE represents the probability that the parameter 
estimation procedure fails. 

Given some reconciliation protocol, C stands for the 
set of all possible reconciliation messages and Sec rep- 
resents the maximum probability that the estimate at 
Bob's site does not coincide with Alice's string. 

Let £pA represent the failure probability in the privacy 
amplification procedure, and e be a smoothing param- 
eter, then the rate at which the legitimate parties can 
distill an e-secure key is bounded by [25]: 



K'<^ (hi (X* I Z^C) - 2 log — ) 



(14) 



where e = npEepE+^EC+epA+f, and ripE is the number 
of estimated parameters. 

The smooth min-entropy in Eq. (14) can be evalu- 
ated to measure the net impact of information recon- 
ciliation [25]: 



ff^(X*|Z^^C)>if^(X*|Z^^)-leak 



(15) 



where leak is a purely classical term that tracks the 
amount of information correlated with A"* revealed dur- 
ing reconciliation. It is given by [15]: 



leak = i/o(C)-iJoo(C|A*) 



(16) 



The main effect of an imperfect reconciliation is a re- 
duction of the secret key rate, which in turn, in terms of 
the figures of merit of a QKD protocol, limits the distance 
range over which secret keys can be distilled [10, 26]. 



B. Fundamental limits of information reconciliation 



K = H{X\Z) -H{X\Y) 



(13) 



where X and Y are classical systems available to the 
legitimate parties Alice and Bob and Z is a quantum 
system at the eavesdropper's site. The first term at the 
rhs of Eq. (13) amounts to the randomness that can be 
extracted which is independent of Z while the second 
term can be regarded as the information that Alice and 
Bob should exchange to reconcile X and Y. 

Eq. (13) is valid only in the asymptotic case. However, 
a real system has only access to finite resources, which 
means that Alice and Bob not only have bounded compu- 
tational power but also they have to distill a secret key 
from a finite number of experiments. Thus, in general 
there is no convergence toward an ideal key and security 
has to be considered for an acceptable security threshold 
e. 



Let Alice and Bob be two parties holding x and y, 
two n-length strings that are respectively n outcomes of 
two jointly distributed random variables X and Y . A 
one-way reconciliation protocol on the strings x and y 
is a protocol that produces the strings Sx and Sy from 
X and y, respectively, after exchanging the message c{x) 
through the public channel. 

A reconciliation protocol is considered e-robust [6] if: 



E 



p{x,y)p{sx ^ Sy) <e 



(17) 



The efficiency of a reconciliation protocol can be mea- 
sured using a quality parameter ^^ that compares the 
amount of disclosed information with the minimum the- 
oretical disclosure: 



leak 



nH{X\Y) 



(18) 



the mininium nH{X\Y) is known as the Slepian-Wolf 
bound; it delimits the minimum rate for reliably describ- 
ing a source X to a distant party with access to side 
information Y [27]. 

It is well known the appropriateness of (linear) error 
correcting codes for the Slepian-Wolf problem [28]. In 
consequence, good error correcting codes can be used for 
information reconciliation. Let C{n,k) be a linear code 
with coding rate Rq — k/n, a message of length n — k 
called the syndrome [29] can be used to reconcile two 
sources with conditional entropy nH{X\Y). Even if n — fc 
is greater than the theoretical minimum, for finite lengths 
there is always non-zero error probability. We denote the 
rate of decoding errors or frame error rate (FER) by the 
parameter e. Then, a reconciliation protocol based on 
sending the syndrome of a linear code is e-robust, and 
the reconciliation efficiency is given by: 



^e = 



n — k 1 — i?o 

nH{X\Y) ~ H{X\Y) 



(19) 



However, an acceptable FER in a communications pro- 
tocol might not be sufficient in a security context. It is a 
common practice to divide the reconciliation process into 
two steps [18, 30]. In the first one, a common string is 
produced, for instance using an error correcting code as 
we just described. In the second one, Alice uniformly at 
random chooses a function / from a family of 2-universal 
hash functions [31] and computes a hash of her string 
f{sx)- Alice sends to Bob her choice / together with 
f{sx)- Bob computes his own hash value f{sy) and the 
protocol aborts if f{sx) ^ f{sy)- Since the choice of the 
hash function is independent of X, only the length of 
the hash [— logEEc] for some Eec > is added to the 
leakage: 



leak^-^^ = n(l - Rq) + [log 



Sec 



(20) 



The joint reconciliation process is eEC-robust where 
EEC can be chosen to be much smaller than the FER. 

It is clear from Eq. (19) that the length of the conver- 
sation when using a code is fixed to n — fc. That is, the 
amount of information does not adapt to the error rate 
in the channel. This is a perfect solution for the Slepian- 
Wolf problem since the correlations are fixed and known 
beforehand. However, in QKD it is common that the 
error rate varies from one execution to the next. In con- 
sequence, an adaptation of the coding rate is needed in 
order to use linear codes for reconciliation. 



IV. STUDY OF A RATE-ADAPTIVE 
PROTOCOL 

In this section we study the efficiency and impact 
of a rate-adaptive protocol, which is in essence the sp- 
protocol in [11] with an additional error verification step. 



A. Description of the rate-adaptive protocol 

In the following we detail the steps of a rate-adaptive 
information reconciliation protocol. 

Step 0: Pre-conditions. Alice and Bob agree on the fol- 
lowing parameters: (i) a pool of shared mother codes of 
length n, constructed for different rates; (ii) d the maxi- 
mum number of symbols (bits) that will be used to adapt 
the coding rate, and (iii) the target £ec which character- 
izes the length of the hashes. 

Step 1: Raw key exchange. Alice and Bob obtain two 
correlated strings x and y, respectively, of length n ~ d 
and a precise estimate of the error rate Pe. If Pe is outside 
their target rates they abort the protocol. Otherwise, 
both parties select the appropriate code C and compute 
the adequate number of symbols (bits) s to reveal, with 
s < d, such that the coding rate is then adapted to pe. 

Step 2: Coding. Alice creates a extended string x of 
length n by concatenating x and x' , a uniformly random 
string of length d. Alice sends to Bob the hash value f{x), 
the syndrome of a; on C and the values and positions of 
s symbols among the d symbols randomly generated. 

Step 3: Decoding. Bob creates a extended string of 
length n by concatenating y and y' , a uniformly random 
string of length d. Bob sets the values of the received 
s symbols to their correct value. Bob computes y his 
estimate of x and f{y) his own hash value. If f{y) ^ f(x) 
they abort the protocol. 

We would like to remark that in Step 2 both the ver- 
ification tag and the reconciliation message are jointly 
encoded and sent to Bob. There is no extra interactivity 
coming from error verification, still only one message is 
exchanged for reconciliation and a second one from Bob 
to Alice is sent to notify the success or failure of the 
protocol. 



B. Leakage 

The sp-protocol creates an extended system X*X' 
by adding d symbols (bits) with random values. The 
Slepian-Wolf bound implies that for successful reconcili- 
ation the length of the reconciliation message should be 
greater than: 



H{X*X'\Y*)=H{X^Y^) + d (21) 

which is trivially larger than _ff(A*]y*) if d > 0. 



However, the appropriate comparison is in terms of 
the conditional smooth entropy on the reconciled sys- 
tem, since it is the magnitude that limits the distillable 
key after the reconciliation step. Lemma 1 shows that 
the smooth min-cntropy decrease produced by the sp- 
protocol on the extended system is equivalent to the de- 
crease produced by an error correcting code with rate R 
on the original system. This equivalent coding rate R is 
given by: 



if^(X'|/)0-leak=(,s+p) 



R 



(22) 



The dependence of i? on d and s allows to understand 
how the protocol adapts the amount of information dis- 
closed for reconciling errors. Since the value of d is fixed 
previous to the execution of the protocol, it is s, the num- 
ber of symbols (bits) revealed to Bob on the public chan- 
nel, the parameter available to Alice for modulating the 
coding rate. A higher value of s increases the informa- 
tion available to the decoder allowing to reconcile noisier 
strings, while a lower value of s allows to reduce the leak- 
age by increasing the coding rate. On the other hand, d 
sets the range of achievable rates, from {k — d)/{n — d) to 
k/(n — d). The extremal values correspond to the limit- 
ing cases of revealing the d symbols (bits) and revealing 
no information on the public channel. 

Lemma 1. Let px*z" ^6 ct bipartite state and (Tx'^x'z^c 
the extension resulting from the application of the sp- 
protocol. Then the smooth min- entropy of the extended 
system X*X' given Z^ C can he hounded hy: 



Hl,{X'X'\Z^C). > Hl,{X'\Z)p - t{l -R)- [log ] 

£ec 



Proof. 



H'^' {X'X'\Z^C)„ > H'+' iX*X'\Z^)^ - leak 
= H'^''{X'X'\Z^I)^-leak 
>Hl,{X'\Z^)^ + Hi{X'\I), 
—leak 



Let e' > 0. The first inequality follows from Eq. (15) 
that bounds the impact of the conversation. We can 
trivially extend the state on o'xtx'Z'"' to 4'X'^x'Z'^i — 
fx'jf'z™ ® id/, where / is a one dimensional system, 
without changing the value of the smooth min-entropy 
{H'^^\X'X'\Z^)„ = H'J''{X'X'\Z^I)^); the first 
equality holds by this argument. We can apply Renner's 
superadditivity theorem in [15] for product states to ob- 
tain the second inequality. If we now consider just the 
second and third terms from this last relation we obtain: 



-[s + n{l-Ro)+\log 1 



£ec 

= -t{l-R)-\\og-^^ 

£ec 

We can choose e' = and since / is one-dimensional 
Hryo{X'\I)^ reduces to H^{X')^. Furthermore, X' is 
classical and uniformly distributed thus maximizing the 
min-entropy. The leakage is obtained by tracking the 
amount of information sent from Alice to Bob during the 
protocol and subtracting the part that is independent 
from X*X'. 

We recover the desired result if we consider that 
4'x*x'Z'^i is also an extension of px^-z^ which means 
thati7^(X*|Z^)^ = H^(X*|Z^),. 

D 



V. SIMULATION RESULTS 

In this section we compare the tradeoffs between us- 
ing the sp-protocol, non-adapted error correcting codes 
and Cascade (a well-known interactive protocol proposed 
in [6] and implemented in most QKD systems). First we 
present the difference of the reconciliation protocols in 
terms of asymptotic leakage and then we plug them in 
a QKD protocol and compare the distillable secret key 
with finite resources. 

The strings are assumed to be binary and are modeled 
as the input and output of a binary symmetric channel 
(BSC). This is appropriate in the case of some QKD pro- 
tocols [8, 32, 33] if errors on the quantum channel are 
symmetric and independent. 

For convenience, we have implemented the rate adap- 
tive sp-protocol with irregular binary low-density parity- 
check (LDPC) codes since there is a wealth of material 
and information available: a number of matrices, decod- 
ing algorithms and communication standards have been 
proposed in the last years for these codes. However, non- 
binary LDPC codes [34] or other code families [35], could 
probably be adapted to implement the sp-protocol. We 
fixed the proportion of modulated symbols to d/n = 5%. 

Fig. 1 shows the leakage rate (leak^"^*^ /t) as a function 
of the QBER. An optimal protocol achieving the Slepian- 
Wolf bound (solid line) is compared to the asymptotic 
sp-protocol computed using the theoretical analysis de- 
scribed in the Appendix B (dashed line) and to Cascade 
(dotted line). Note that for Cascade, instead of upper 
bounding the leakage with the analytical estimate given 
in [6] which might be overly pessimistic, we used as up- 
per bound the leakage rate with large blocks of length 
10^ (see Appendix A for numerical justification). 

Both Cascade and the sp-protocol are close to optimal 
for small QBERs. However, approximately over 3% they 
begin to diverge and while the former follows closely the 
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FIG. 1. The asymptotic leakage of the sp-protocol, the leak- 
age of Cascade and the leakage for a perfect reconciliation 
procedure are compared as a a function of the QBER. 



Slepian-Wolf bound the latter clearly has a higher leak- 
age. 

To analyze the impact of reconciliation on the achiev- 
able secret key rate, we have chosen the prepare and mea- 
sure version of BB84 and consider for simplicity and in 
order to highlight the effect of reconciliation, an idealized 
scenario: we assume that Alice and Bob have access to 
single photon sources and perfect detectors. Following 
[36] the secret key in this setting can be distilled at a 
rate: 



K' < — ((1 



h{Q)) - Ait) - leak/i) 



(23) 



where h is the binary entropy function, Q is the estimated 
QBER that takes into account statistical fluctuations due 
to the finite length case, and A is the smoothing param- 
eter that allows to lower bound the smooth min-entropy 
in Eq. (14) [25]. 

Fig. 2 shows the secret key rate as a function of the 
number of exchanged signals (N). We compare in this 
figure the secret key rate for three different QBER values 
(4%, 5% and 6%) using a perfect reconcihation protocol. 
Cascade, and the sp-protocol. The security parameter e 
is set to 10~^, and Eec = 10~^°, as suggested in [36]. 

The convergence of LDPC codes towards the asymp- 
totic value is slower than that of Cascade (see Appendix 
A). In consequence the optimality of the distillable key 
with this implementation of the sp-protocol increases 
with the length: shifting from close to Cascade for small 
lengths to close to the optimal value asymptotically. For 
low QBERs and small lengths, the slow convergence of 
LDPC codes together with the good efficiency of Cascade 
in this region make both secret key rates very similar. 
For higher QBERs, even for small lengths the LDPC im- 
plementation of the sp-protocol clearly outperforms Cas- 
cade. 
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FIG. 2. (Color online) Secret key rate in the finite-key 
regime for a perfect reconciliation procedure, the sp-protocol, 
and considering the efficiency of Cascade. Three different 
QBER values are considered (from left to right): 4% (blue), 
5% (green) and 6% (red). Other parameters: e = 10~^, 
£EC = 10~'°. 



VI. DISCUSSION 

This paper analyzes some improvements in the classical 
post-processing of QKD protocols. The key distillation 
process can be divided in two steps: information recon- 
ciliation and privacy amplification. Information reconcil- 
iation allows to establish a common string while in the 
privacy amplification step a shorter but more secure key 
is created. Both steps are highly coupled: in essence ev- 
ery bit exchanged in the information reconciliation step 
implies that one additional bit has to be removed of the 
final key in the privacy amplification step. 

The problem of correcting the discrepancies between 
the strings of the legitimate parties is also known as the 
problem of source coding with side information by the 
information theory community. Under this paradigm, the 
theoretical limits of information reconciliation are given 
by the Slepian-Wolf bound. Information reconciliation 
is, then, basically error correction. 

We have adopted a pragmatic approach towards er- 
ror correction and used modern coding techniques well 
suited for QKD purposes. In a real QKD scenario we 
have to deal with a broad range of error rates. Further, 
the number of accesses to the classical public communica- 
tion channel should be limited. As opposed to the eaves- 
dropper that should, for the sake of security, be assumed 
to have access to unbounded resources, the legitimate 
parties are equipped with a finite amount of resources. 

The sp-protocol, induced by a mother code of rate Rq 
allows the legitimate parties to adapt the reconciliation 
step to varying conditions. However, it exchanges a mes- 
sage longer than the optimal one. We proved that the 
sp-protocol is equivalent to the use of a code with an 
adapted rate R. The claim holds in the sense that the 



smooth min-cntropy reduction of the former in an ex- 
tended system is bounded by the reduction of the latter 
in the original system. 

We implemented the sp-protocol with irregular LDPC 
codes. The results obtained indicate that the sp-protocol 
asymptotically behaves close to the theoretical limit. We 
claim no optimality in our implementation of the sp- 
protocol and certainly it could be expected that other 
code families are better suited to short key lengths or 
to other kind of correlations different than those mod- 
eled by a BSC. The analysis, however, applies to any 
linear error correcting code. In consequence, it allows 
to consider rate-adaptive information reconciliation as a 
specific code design problem. We believe that this pro- 
tocol opens the doors to consider simpler and possibly 
better schemes for the classical postprocessing in secret 
key distillation protocols. 



Appendix A: Cascade simulations 

In order to estimate the asymptotic leakage of Cascade 
we simulated the protocol with strings of length 10^, 10'"' 
and 10^. The results on Table I show that with a string 
length of 10® the leakage rate has already converged. 



QBER 


10* 


10^ 


10® 


0.01 


0.0917 


0.0914 


0.0914 


0.04 


0.285 


0.284 


0.284 


0.05 


0.338 


0.338 


0.338 


0.06 


0.390 


0.390 


0.390 



is known as density evolution [37] and allows to compute 
the asymptotic decoding threshold of a code family on 
a communications channel. In general, densities are up- 
dated following this recurrence relation: 



/+'{x)=p{poix)*X{/{x))) 



(Bl) 



TABLE I. This table shows the leakage rate of Cascade for 
strings of length 10 , 10^ and 10 as a function of the QBER. 



where p is the average probability on symbols on the 
decoding iteration £ if the code graph is tree like, X{x) and 
p{x) are the symbol and check node degree polynomials 
respectively, poix) is the initial message density, and * 
stands for convolution. 

In section V, we focused our attention in the BSC. 
This channel is characterized by a single parameter: the 
crossover probability e. That is, a bit is either noiselessly 
transmitted with probability 1 — e or flipped with prob- 
ability £. The channel is then modeled by the following 
initial density distribution: 



Po{x) - eALie)ix) + (1 - e)A_i(,)(.T) (B2) 

where L(e) ~ log j^ is a log-likelihood ratio, and 
At{x) ~ 5{x — t) is the Dirac delta function displaced 
at position t. 

Now, in the sp-protocol, an n-length raw string is com- 
posed of n — d bits sent through a noisy channel, in this 
case the above described BSC, and d bits with randomly 
assigned values out of which s are revealed through the 
public and noiseless channel. Let a and tt, stand for the 
fraction of bits that are completely known and unknown 
to the decoder, respectively, we can compute the asymp- 
totic behavior of the sp-protocol with the following initial 
density: 



Appendix B: Theoretical analysis of rate modulated 

codes 



Po{x) 



--{l-TT- 

+7rAo(: 



(T 



■L(e)ix) + {1 - e)A_n^){x)] 
x]+crAoo{x) 



i[eA, 



(B3) 



Binary linear codes admit a bipartite graph representa- 
tion in which symbols are linked with parity checks. An 
ensemble of irregular binary LDPC codes can be defined 
by the degree distributions on the edges of symbols and 
checks [37]. We can study the behavior of an ensemble 
under a message passing algorithm by tracking the evolu- 
tion of the message distributions. This recursive tracking 
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